tried to login but they do not have USE permission or weren't found. Deleting remember me cookie

Mary Wilson September 22, 2017

I'm at a loss on this one.  I have ONE user who can't seem to log into JIRA (server 7.4.3).  They were able to log in back in July, but can't now.  I get the following in the log:

'vandala' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2017-09-05 16:38:42,143 http-nio-80-exec-500 anonymous 998x1090914x1 1ngbs20 10.70.57.20 /login.jsp The user 'vandala' has FAILED authentication. Failure count equals 33

 I've checked their groups - all correct.  I've removed them from all groups and re-added.  Still the same error.  They've changed their active directory password and tried again.  Still not working.  

And yes, I know it "feels" like they're typing the wrong password.  But I've tried their password and can't get it.  And the service desk has changed it and had them try the new one, and still not luck.

All other users are working as expected.  I don't know what else to try.  I have submitted a support ticket, but they're waiting for logs from when the user tries to log in - but the user is on vaca for now.  Thought I'd try the community.  :-)  THANKS!

3 answers

0 votes
Alexander April 11, 2022

Got the same error after turning off com.atlassian.confluence.user.ConfluenceAuthenticator and turning on com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator

What should i check ?

Alexander April 11, 2022

forget to edit crowd.properties file!

Like # people like this
0 votes
Jorge Quintanilla March 4, 2022

Hello @Mary Wilson

Could you explain what was the main issue on your AD config?

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 22, 2017

Can you tell us the basics of the setup of your user directories?

What directories do you have, and in what order?  I suspect vandala may be duplicated and it's trying to log in as the wrong one...

Mary Wilson September 22, 2017

The order is:

  • JIRA Internal Directory
  • Active Directory server - our Columbus operations
  • Active Directory server - our Lisbon operations
  • Active Directory server - our Cincinnati operations
  • Active Directory server - our London operations

My user would be in the Columbus operations group.  

Don't know if it matters, but he's off shore and would be using VPN to come in and logging into JIRA from that VPN client.  Although we have other users who are coming in that way.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 22, 2017

Ok, great.  Can you check if there is a duplicate in the internal directory?  Same login id.

Like Alex Ulanovsky likes this
Mary Wilson September 25, 2017

Nope.  The only ID I have in the internal directory is admin.  

I did get a perplexing error early this AM when he tried to log in.  Looks like my Cincinnati domain was having issues syncing and threw this error:

2017-09-25 05:04:27,143 http-nio-80-exec-758 ERROR anonymous 304x652104x1 14fhbvj 10.70.57.20 /login.jsp [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'LUK BIND AD' is not functional during authentication of 'vandala@netjets.com'. Skipped.

What confuses me is that vandala is in the Columbus domain, so why would it care if LUK (Cincinnati) was having issues?

Mary Wilson September 25, 2017

Also, he's been able to log in before.  That's what really confuses me.  Something has changed.  I just can't figure out what!

ScreenShot113.jpg

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 25, 2017

You're right, Columbus shouldn't care if another domain is failing.  Does vandala only exist in Columbus?

Also, can you try getting the lines of logs above and below the line you gave in the question (only 5 either side at most)

Mary Wilson September 25, 2017

Yep, I checked and he only exists in Columbus.  Here is a chunk between two of his login attempts.  Sorry it's so huge:

2017-09-25 04:42:44,387 Caesium-1-3 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] INCREMENTAL synchronisation complete for directory [ 10200 ] in [ 23977ms ]
2017-09-25 04:42:49,348 Caesium-1-2 INFO ServiceRunner [c.a.c.d.ldap.cache.UsnChangedCacheRefresher] scanned and compared [ 0 ] groups for delete in DB cache in [ 0ms ]
2017-09-25 04:42:49,364 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] removing [ 0 ] groups
2017-09-25 04:42:49,364 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] removed [ 0 ] groups successfully in [ 0ms ]
2017-09-25 04:42:49,364 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] INCREMENTAL synchronisation complete for directory [ 10400 ] in [ 28564ms ]
2017-09-25 04:48:43,671 http-nio-80-exec-769 ERROR anonymous 288x652016x1 1gjzfaq 10.70.57.20 /login.jsp [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'LUK BIND AD' is not functional during authentication of 'vandala@netjets.com'. Skipped.
2017-09-25 04:48:43,780 http-nio-80-exec-769 ERROR anonymous 288x652016x1 1gjzfaq 10.70.57.20 /login.jsp [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'vandala@netjets.com'.
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:945)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:87)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:75)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:49)
at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:88)
... 33 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 26 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 23 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.ldap.ConfigurationException: java.naming.provider.url property does not contain a URL; nested exception is javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:111)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:175)
at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:88)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:337)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.searchWithLimitedResults(SpringLdapTemplateWrapper.java:376)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:503)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:464)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:685)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:634)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:620)
at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1119)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:272)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:208)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:186)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:311)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:198)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:75)
... 107 more
Caused by: javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 130 more
2017-09-25 05:04:27,143 http-nio-80-exec-758 ERROR anonymous 304x652104x1 14fhbvj 10.70.57.20 /login.jsp [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'LUK BIND AD' is not functional during authentication of 'vandala@netjets.com'. Skipped.
2017-09-25 05:04:27,642 http-nio-80-exec-758 ERROR anonymous 304x652104x1 14fhbvj 10.70.57.20 /login.jsp [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'vandala@netjets.com'.
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:945)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:87)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:75)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:49)
at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:88)
... 33 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 26 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 23 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.ldap.ConfigurationException: java.naming.provider.url property does not contain a URL; nested exception is javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:111)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:175)
at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:88)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:337)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.searchWithLimitedResults(SpringLdapTemplateWrapper.java:376)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:503)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:464)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:685)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:634)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:620)
at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1119)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:272)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:208)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:186)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:311)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:198)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:75)
... 107 more
Caused by: javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 130 more
2017-09-25 05:09:43,776 Caesium-1-4 INFO ServiceRunner [c.a.j.p.h.service.ping.RefreshConnectionStatusJobHandler] Running RefreshConnectionStatusJobHandler...
2017-09-25 05:09:44,042 Caesium-1-2 INFO ServiceRunner [c.a.j.p.h.service.connect.InstallGlancesJobHandler] Running InstallGlancesJobHandler...
2017-09-25 05:09:44,042 Caesium-1-2 INFO ServiceRunner [c.a.j.p.h.service.connect.InstallGlancesJobHandler] There is no link to HipChat, no need to install glances.
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 25, 2017

Given the error of

Caused by: org.springframework.ldap.ConfigurationException: java.naming.provider.url property does not contain a URL; nested exception is javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL

That is a pretty clear indication that there is something wrong with the user directory that Jira is storing.  The KB JIRA drops LDAP configuration - java.naming.provider.url property does not contain a URL  better explains that error and steps you can follow to get around this.  I believe it has you recreating a new user directory with the same settings as the potentially corrupted user directory.   I recommend following the steps in that KB under the Diagnosis section first to make sure this applies to your instance.

 

If you follow those steps to fix this error, and you still have users that cannot login to Jira, then I would recommend following Unable to login to Jira Applications.  

This KB has additional steps to follow where you can turn on additional logging to better understand why users are unable to login to Jira.  But I would try to fix that 'java.naming.provider.url' exception first.

Like # people like this
Mary Wilson September 25, 2017

Thanks for that, Andrew.  However, that error is in reference to the Domain that user is NOT in, so I believe that is a red herring.  I don't disagree that I have an issue with that Domain, but my problem is with the ONE user that cannot log into JIRA who is in my Columbus Domain.  These errors today RE the LUK Domain are confusing the issue.  

It is my understanding that turning on the logs 

com.atlassian.jira.login com.atlassian.jira.login.security

will flood my logs, no?  I want to coordinate that with my user so that they can be turned on prior to him attempting a login and then turned off.  I'll let you know what I find after that attempt.

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 25, 2017

I would agree that you don't want to leave the DEBUG level logging on for those two packages long term.  It would be best to set them up just before this user tries to login and then take a look at the atlassian-jira-security.log file in your JIRAHOME/log/ folder.

Mary Wilson September 27, 2017

Ok, turned com.atlassian.jira.login com.atlassian.jira.login.security to DEBUG. 

2017-09-27 09:12:09,325 analyticsEventProcessor:thread-1 kgangaraju Setting JIRA Auth Context to be 'kgangaraju'
2017-09-27 09:12:09,325 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,654 http-nio-80-exec-862 anonymous 552x881031x1 bd7j3w 10.81.18.58 /rest/greenhopper/1.0/xboard/work/allData.json The cookie header is '760' characters : 'optimizelyEndUserId=oeu1482934706926r0.3486064234731623; __qca=P0-223010390-1482934707743; rxVisitor=1485353515595VBON37SAPLDT4NO83EI75BDPCTC1GI50; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; s_nr=1504102582326-Repeat; __utma=50468150.799443992.1482873239.1503685203.1504102577.38; __utmz=50468150.1503685203.37.21.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __hstc=9489834.365f06d027e4cabcc7fed512036b9c88.1482934709676.1499879167803.1504102584174.34; hubspotutk=365f06d027e4cabcc7fed512036b9c88; _ga=GA1.2.799443992.1482873239; _gid=GA1.2.420850058.1506453916; JSESSIONID=127244E4D175CCD4C458D56D78FDB2AE; atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|63bf8f0c385fb1859874640400b4b57cf973e749|lin; jira.editor.user.mode=wysiwyg'.
2017-09-27 09:12:09,891 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login The cookie header is '131' characters : 'atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|2ba8f7f483186f98471cd9a4e497e78e265b430f|lout; JSESSIONID=286DF7CDB4DF8E4B25AE0EF009F5E109'.
2017-09-27 09:12:09,907 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,907 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login login : 'vandala' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2017-09-27 09:12:09,907 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,922 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,922 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,938 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,938 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,969 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,969 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login The user 'vandala' has FAILED authentication. Failure count equals 49
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@731e243[reason=AUTHENTICATED_FAILED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@234f1a57[lastLoginTime=1497453769572,previousLoginTime=1494251526021,loginCount=64,currentFailedLoginCount=49,totalFailedLoginCount=55,lastFailedLoginTime=1506517929907,elevatedSecurityCheckRequired=false,maxAuthenticationAttemptsAllowed=300],userName=vandala,deniedReasons=[]]
2017-09-27 09:12:10,047 http-nio-80-exec-844 anonymous 552x881033x1 1mkqzmt 10.81.18.76 /rest/api/1.0/menus/greenhopper_menu The cookie header is '711' characters : 'optimizelyEndUserId=oeu1482331331335r0.7919635355681773; __qca=P0-553155517-1482331332791; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; __hstc=9489834.857a454fa590d39ae84f415d1c4d801a.1482331333009.1482331333009.1495048673323.2; hubspotutk=857a454fa590d39ae84f415d1c4d801a; s_fid=4E34C13728EBCCBA-19CE4E9506800E93; s_nr=1505409667550-New; __utma=50468150.791325845.1481830887.1502739867.1505409668.8; __utmz=50468150.1502739867.7.7.utmcsr=flydev.netjets.com|utmccn=(referral)|utmcmd=referral|utmcct=/Welcome/; _ga=GA1.2.791325845.1481830887; jira.editor.user.mode=wysiwyg; JSESSIONID=22225AEB9BFB214856E1EEF42D078C4D; atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|b050cd72c9a378774c69a90a9398b3eddb862d10|lin'.
2017-09-27 09:12:10,094 Navlink Plugin Executor:thread-7 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:10,094 Navlink Plugin Executor:thread-7 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:10,125 http-nio-80-exec-850 anonymous 552x881034x1 bd7j3w 10.81.18.58 /rest/dev-status/1.0/issue/summary The cookie header is '760' characters : 'optimizelyEndUserId=oeu1482934706926r0.3486064234731623; __qca=P0-223010390-1482934707743; rxVisitor=1485353515595VBON37SAPLDT4NO83EI75BDPCTC1GI50; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; s_nr=1504102582326-Repeat; __utma=50468150.799443992.1482873239.1503685203.1504102577.38; __utmz=50468150.1503685203.37.21.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __hstc=9489834.365f06d027e4cabcc7fed512036b9c88.1482934709676.1499879167803.1504102584174.34; hubspotutk=365f06d027e4cabcc7fed512036b9c88; _ga=GA1.2.799443992.1482873239; _gid=GA1.2.420850058.1506453916; JSESSIONID=127244E4D175CCD4C458D56D78FDB2AE; atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|63bf8f0c385fb1859874640400b4b57cf973e749|lin; jira.editor.user.mode=wysiwyg'.
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 27, 2017
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login The user 'vandala' has FAILED authentication. Failure count equals 49
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@731e243[reason=AUTHENTICATED_FAILED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@234f1a57[lastLoginTime=1497453769572,previousLoginTime=1494251526021,loginCount=64,currentFailedLoginCount=49,totalFailedLoginCount=55,lastFailedLoginTime=1506517929907,elevatedSecurityCheckRequired=false,maxAuthenticationAttemptsAllowed=300],userName=vandala,deniedReasons=[]]


That 'AUTHENTICATED_FAILED' just tells us this username/password failed to login to that LDAP instance.   The most common reason is that the password doesn't match the username.  But this isn't the only reason. Unable to login to Jira Applications lists the other possible causes:

  • Check their login/password.
  • For LDAP users, this could happen when the user is created in Active Directory/LDAP with the setting to change password on first login and then the users login to JIRA before logging into a different system or Windows and change their password. The resolution would be to request the user to login to another system and change their password or ensure they do not need to reset their password on next login.
  • In Active Directory, the LDAP server is not listed in the Log On To list for the particular user (User Properties > Account > Log On To...)

(info) If a specific group of users are having this error consistently, it could be caused by the ldap.user.dn - A group of users are not able to login due to AUTHENTICATED_FAILED error

 

So if we rule out all of these possible causes list above here, I think the next steps would be to recreate the User directory in Jira once more.  Which would be the same steps to follow to fix the other error.   I am not yet convinced the other KB of JIRA drops LDAP configuration - java.naming.provider.url property does not contain a URL isn't the cause of this problem yet.

Even though you stated this user does not exist in that other user directory, if that directory in Jira has become corrupted in Jira's database, and Jira believes that username exists in a higher ordered directory, Jira will only allow the user to login to the highest ordered directory where that username exists.

Mary Wilson September 28, 2017

I haven't been able to redo that configuration, but I was able to disable it and the other configurations, leaving only my Columbus config and he still cannot log in and gets the same error.  I'm at a loss at this point.  

Mary Wilson November 3, 2017

As an update - Atlassian had me forcibly delete the user from our database, resync with Active Directory and see if that fixed things.  It DIDN'T!  Anyone else have thoughts??  

Mary Wilson November 28, 2017

One more update.  The same user is not able to log into our Confluence site either.  When trying to log in to either JIRA or Confluence, they get the "username or password incorrect" error.  

Another interesting tidbit is that we just changed his password and attempted to log in from onsite with the newly change password and also get the same username/pw error...

Thoughts?

Sébastien RUNG April 9, 2018

Hi Mary,

We use the same version 7.4.3, and one of our user is not able to connect.

Do you manage to solve this issue ?

Regards,

Mary Wilson April 9, 2018

This turned out to be a configuration issue for the user on our Active Directory side.  Had nothing to do with JIRA.

Helen June 3, 2018

Are you able to elaborate on the config issue? I've just run into this, and the suggestions in this thread aren't making any difference.

Tim C November 5, 2018

@Mary Wilson can you elaborate on the config issue? We have the same problem with one of our users and cant figure it out.

Robin Loose May 8, 2019

Hi,

I had the same issue an I found out, that in the AD the user got manually set a new password with the checkmark "Force user to change password on next login". This was the reason, why the user could not login on other platforms connected to the AD.

Maybe this helps.

Romain FOURNIER July 26, 2023

Hi all

I had the same problem with just one of my user.

I managed to handle the issue : it came from the "logon to" tab of user's AD account.

He had just two computers names instead of nothing (all computers).

Hope this will be usefull for you guys.

Regards

Suggest an answer

Log in or Sign up to answer